The REJECT target rejects the packet. If you do not specify which ICMP message to reject with, by default, the server will send back "ICMP port unreachable" (type 3, code 3).

REJECT

This is used to send back an error packet in response to the matched packet: otherwise it is equivalent to DROP so it is a terminating TARGET, ending rule traversal. This target is only valid in the INPUT, FORWARD, and OUTPUT chains, and user-defined chains which are only called from those chains. The following option controls the nature of the error packet returned:

--reject-with type

The type given can be:

icmp-net-unreachable

icmp-host-unreachable

icmp-port-unreachable

icmp-proto-unreachable

icmp-net-prohibited

icmp-host-prohibited

icmp-admin-prohibited (*)

which return the appropriate ICMP error message (port-unreachable is the default). The option tcp-reset can be used on rules which only match the TCP protocol: this causes a TCP RST packet to be sent back. This is mainly useful for blocking ident (113/tcp) probes, which frequently occur when sending mail to broken mail hosts (which will not accept your mail otherwise).

(*) Using icmp-admin-prohibited with kernels that do not support it will result in a plain DROP instead of REJECT